BT Binding Corporate Rules

Version V1.2

Document Ref BCRs/AUTHORISED/V1.2

PROPRIETARY INFORMATION OF BT PLC

This document contains information proprietary to BT PLC and may not be reproduced, disclosed or used in whole or in part without the express permission of BT PLC

© BT PLC

Table of Contents

1. Introduction ............................................................................................................................. 1

2. Definitions and Interpretation .................................................................................................. 1

3. Scope........................................................................................................................................ 4

4. Data Protection Principles......................................................................................................... 5

5. Transparency and Information Access....................................................................................... 6

6. Rights of Individuals .................................................................................................................. 7

7. Security and Confidentiality ...................................................................................................... 8

8. Internal Processing of Personal Data ......................................................................................... 9

9. External Processing of Personal Data ...................................................................................... 10

10. Assurance and Audit ............................................................................................................... 11

11. Compliance Structure ............................................................................................................. 13

12. Conflicts ................................................................................................................................. 13

13. Complaints ............................................................................................................................. 14

Procedure for where the BT Group Company is a Data Processor............................................ 15

14. Third Party Beneficiary Rights and Liability .............................................................................. 16

Rights and liabilities applicable where a BT Group Company is a Data Controller .................... 16

Rights and Liabilities applicable where a BT Group Company is a Data Processor .................... 16

Burden of Proof ...................................................................................................................... 18

Limitation of liability ............................................................................................................... 18

15. Cooperation with Data Protection Authorities ........................................................................ 19

16. Updates to these Rules ........................................................................................................... 19

1

1. Introduction

1.1 These Rules apply to the processing of Personal Data by BT Group Companies and will provide adequate protection for the transfer of Personal Data outside of the EEA and Approved Countries by the BT Group Companies in accordance with the requirements of the Data Protection Legislation.

1.2 These Rules apply to:

1.2.1 the processing of Personal Data in the EEA by a BT Group Company

located in the EEA;

1.2.2 the processing of Personal Data by a BT Group Company located outside

of the EEA;

1.2.3 any transfer of Personal Data out of the EEA by one BT Group Company

to another BT Group Company; and

1.2.4 any subsequent processing or sub-processing of the Personal Data described in paragraph 1.2.3 by a BT Group Company located outside of the EEA including any transfer from one non-EEA based BT Group

Company to another non-EEA based BT Group Company.

1.3 The Board of Directors of each of the BT Group Companies are committed to ensuring compliance with these Rules.

1.4 All Personnel of each BT Group Company will: (i) have a copy of these Rules made available to them; (ii) be provided with appropriate training on compliance with these Rules; and (iii) be required to ensure compliance with these Rules by agreeing to comply with The Way We Work, which makes reference to these Rules and

contains sanctions in the event of non-compliance.

1.5 All Personnel of each Data Processor and Sub-Processor will respect: (i) the relevant third party Data Controller’s instructions in relation to the processing of its Third Party Personal Data, and (ii) security and confidentiality measures as set out in the relevant Data Processing Agreement.

1.6 The person that is ultimately responsible for compliance with these Rules is: the BT

Chief Privacy Officer (the “Chief Privacy Officer”).

2. Definitions and Interpretation

2.1 In these Rules: “data controller”, “data processor”, “data subject”, “personal data”, “processing” and “sensitive personal data” shall each have the same meanings as are given to them in the Data Protection Directive and “process” and

“processed” shall be construed accordingly.

2.2 In these Rules, the following terms have the meanings set out below:

2

“Applicable Law” means the mandatory requirements of any law, enactment, regulation, regulatory policy, guideline or Regulatory Authority applicable to a BT Group Company and/or to any of the activities of a BT Group Company;

“Approved Country” means any non-EEA country officially recognised by the European Commission from time to time as ensuring an adequate level of

protection for personal data;

“BT” means the BT Group Companies (including BT Plc) and their successors and assigns;

“BT Group Companies” means the entities set out in Appendix 1 (Participating BT Group Companies) comprising all BT operating entities which have executed these

Rules and are bound by these Rules, as updated from time to time by BT Plc;

“BT Personal Data” means internal personal data originating from any BT Group

Company located within the EEA;

“BT Plc” means British Telecommunications plc a company registered in England and Wales under company number 1800000 whose registered office is at: 81

Newgate Street, London EC1A 7AJ, and its successors and assigns;

“Chief Privacy Office” has the meaning provided in paragraph 11.1;

“Chief Privacy Officer” has the meaning provided in paragraph 1.6;

“Controller to Controller Model Clauses” means the standard contractual clauses for the transfer of personal data from the EEA to third countries as approved in the European Commission decision of 27 December 2004 as amended, substituted or replaced from time to time and as set out in Section 2 of Appendix 3 (Model

Clauses);

“Controller to Processor Model Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved in the European Commission decision of 5 February 2010 as amended substituted or replaced from

time to time and as set out in Section 1 of Appendix 3 (Model Clauses);

“Data Controller” means the relevant third party data controller of Third Party Personal Data, or the relevant EEA based BT Group Company data controller of

Third Party Personal Data or BT Personal Data (as the context requires);

“Data Processor” means any BT Group Company that processes BT Personal Data or Third Party Personal Data (as the context requires) as a data processor on behalf of a Data Controller;

“Data Processing Agreement(s)” means the contract that is required to be in place in respect of Third Party Personal Data between the relevant third party Data

3

Controller and the relevant Data Processor, pursuant to Article 17(3) of the Data

Protection Directive;

“Data Protection Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard

to the processing of personal data and on the free movement of such data;

“Data Protection Legislation” means the Data Protection Directive and the E-

Privacy Directive and any future legislation amending or replacing these directives;

“EEA” means the European Economic Area;

“E-Privacy Directive” means Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

“Individual” shall have the same meaning as data subject;

“Personal Data” means Third Party Personal Data and BT Personal Data;

“Personnel” means BT personnel that have permanent or regular access to Personal Data; and/or are involved in the collection of such Personal Data; and/or

are involved in the development of tools using such Personal Data;

“Regulatory Authority” means any governmental, regulatory or other competent authority that regulates and/or supervises any BT Group Company;

“Responsible BT Group Company” has the meaning provided in paragraph 14.9;

“Rules” means the rights and obligations set out in this deed;

“Sub-Processor” means any BT Group Company sub-processor that processes BT Personal Data or Third Party Personal Data (as the context requires), under an agreement or arrangement with a Data Processor, for the purposes of providing

processing services to a Data Controller;

“Sub-Processing Agreement” means a sub-processing agreement between a Data Processor and a Sub-Processor or external sub-processor (as the context requires)

entered into for the purposes of providing processing services to a Data Controller;

“The Way We Work” means BT’s overarching statement of business principles which is available to all Personnel at https://office.bt.com/sites/ethicsandcompliance/Shared%20Documents/Policies%20and%20Website%20Information/TWWW/TWWW_Policy_UK.pdf#zoom=100, as

amended or replaced from time to time;

“Third Party Personal Data” means personal data originating from an external third party Data Controller, that is subsequently disclosed or made available to a EEA

based Data Processor;

4

“Working Day” means a day other than a Saturday, Sunday or public holiday in

England when banks in London are open for business.

2.3 These Rules will be interpreted in accordance with the Data Protection Legislation.

2.4 In these Rules:

2.4.1 references to a statute or statutory provision include:

(a) that statute or statutory provision as from time to time modified, re-enacted, consolidated, or replaced, whether before or after the date of these Rules, which in the case of the Data Protection Directive shall include (without limitation) the provisions of any general data protection regulation, if and when such a regulation is brought into force;

(b) any past statute or statutory provision (as from time to time modified, re-enacted or consolidated) which that statute or

provision has directly or indirectly replaced; and

(c) any subordinate legislation made from time to time under that statute or statutory provision, which is in force at the date of

these Rules;

2.4.2 references to:

(a) a person include any company, partnership or unincorporated association (whether or not having separate legal personality); and

(b) a company include any company, corporation or any body

corporate, wherever incorporated; and

2.4.3 references to one gender include all genders and references to the

singular include the plural and vice versa.

3. Scope

3.1 These Rules apply to all Personal Data (that falls within the geographical scope set out in paragraph 1.2) which is processed by BT Group Companies, whether acting as a Data Controller, Data Processor, or Sub-Processor.

3.2 These Rules apply in all jurisdictions where one or more BT Group Companies are based and cover the processing of Personal Data both on-line and off-line (provided that in the case of off-line records, the Personal Data forms part of a structured manual filing system).

3.3 A list of the BT Group Companies which are bound by these rules can be found in

Appendix 1 (BT Group Companies).

5

3.4 The nature and material scope of the Personal Data that the BT Group Companies process (as part of their regular business activities) are set out in Appendix 2 (Purposes of Processing).

4. Privacy Principles

4.1 When acting as a Data Controller, each BT Group Company will follow the principles set out in paragraph 4.2 (subject to exemptions provided by Applicable Law) when

processing Personal Data:

4.2 Personal Data will be:

4.2.1 processed fairly and lawfully, including in accordance with the conditions

set out in the Data Protection Legislation from time to time;

4.2.2 collected for specified, explicit and legitimate purposes and not further processed in a way that is incompatible with those purposes;

4.2.3 only processed to the extent that it is adequate, relevant and not excessive in relation to the purposes for which it is collected and/or

further processed;

4.2.4 accurate and, where necessary, kept up to date and every reasonable step will be taken to ensure that Personal Data which is inaccurate or incomplete, taking into account the purposes for which it was collected or

for which it is further processed, is erased or corrected; and

4.2.5 kept in a form which permits identification of Individuals for no longer than is necessary for the purposes for which the Personal Data was

collected or is further processed.

4.3 When acting as a Data Processor or Sub-Processor for a third party Data Controller, each BT Group Company will comply with the following principles (subject to exemptions provided by Applicable Law) when processing Third Party Personal Data:

4.4 Data Processors and Sub-Processors will, in respect of Third Party Personal Data:

4.4.1 help and assist the third party Data Controller to comply with the legal requirement in Article 6(1) (a) of the Data Protection Directive to process

Third Party Personal Data fairly and lawfully;

4.4.2 process Third Party Personal Data in compliance with the third party Data Controller’s instructions, and if they are unable to do so and provided this cannot be corrected, inform the third party Data Controller promptly, in which case, the third party Data Controller may be entitled to suspend the transfer of Third Party Personal Data to the relevant BT Group Company and/or terminate the relevant Data Processing Agreement, subject to the

terms and conditions of the relevant Data Processing Agreement;

6

4.4.3 in the event of the termination of data processing services provided on behalf of a third party Data Controller, at the option of the third party Data Controller, return all relevant Third Party Personal Data (including copies) to the third party Data Controller, or destroy this Third Party Personal Data and certify to the third party Data Controller that they have done so, unless Applicable Law prevents them from returning or destroying the Third Party Personal Data, in which case the relevant Data Processor and/or Sub-Processor will inform the third party Data Controller and warrant to it that they will guarantee the confidentiality of this Third Party Personal Data and that they will no longer actively process this Third

Party Personal Data; and

4.4.4 help and assist the third party Data Controller to comply with the legal requirements in relation to data quality, as set out in Articles 6(1)(b)-(e) of the Data Protection Directive. Specifically they will:

(a) introduce any necessary measures when requested by the third party Data Controller, in order to have relevant Third Party Personal Data processed by the Data Processor and/or Sub-Processor updated, corrected or deleted and inform other BT Group Companies to which the Third Party Personal Data has

been disclosed of these updates, corrections or deletions; and

(b) introduce any necessary measures when requested by the third party Data Controller, in order to have relevant Third Party Personal Data processed by the Data Processor and/or Sub-Processor deleted or anonmysised once it is no longer necessary to identify Individuals and inform other BT Group Companies to which the Third Party Personal Data has been disclosed of any

deletion or anonymisation.

5. Transparency and Information Access

5.1 All BT Group Companies will make sure that these Rules are readily available to Individuals. The Rules are published on our website: www.bt.com. Information is also available on the BT Privacy Centre which can be accessed at:

http://home.bt.com/pages/navigation/privacypolicy.html

5.2 Individuals can contact us if they have any queries in relation to the handling of their Personal Data under these Rules, or if they would like to obtain a hard-copy version of these Rules. Our contact details are:

The Chief Privacy Office Box 26, BT Centre 81 Newgate Street

London, EC1A 7AJ

Complaint.review.legal.support@bt.com

7

5.3 Each BT Group Company will, when acting as a Data Controller, inform Individuals of the processing of their Personal Data through privacy notices provided by the relevant BT Group Companies.

5.4 Before any BT Group Company, which is acting as a Data Controller, will process any Personal Data, it will make sure that Individuals have been provided with the

following information:

5.4.1 the identity of the BT Group Company Data Controller (and of their representatives, if any);

5.4.2 the purposes for which the Personal Data is intended to be processed;

5.4.3 any further information such as:

(a) the recipients or categories of recipients of the Personal Data;

(b) whether replies to any questions are required or optional, as well as the possible consequences of failure to reply; and

(c) the existence of the Individual’s right of access to and the right to

correct their Personal Data,

but only to the extent that further information is necessary to guarantee fair processing in respect of the Individual, taking into account the specific circumstances in which the Personal Data is processed.

5.5 Where the Personal Data has not been collected directly from the Individual, the obligation to give Individuals the information set out in paragraph 5.4 will not apply if the provision of such information: proves impossible, would involve a disproportionate effort, or if recording or disclosure is expressly permitted by

Applicable Law.

6. Rights of Individuals

6.1 Subject to exemptions provided by Applicable Law, each BT Group Company will,

when acting as a Data Controller, make sure that every Individual has the right to:

6.1.1 obtain without constraint at reasonable intervals and without excessive delay or expense a copy of their Personal Data that is processed by the BT Group Company; such right being, in any event, subject to Applicable Law.

6.1.2 obtain the correction, erasure or blocking of their Personal Data that is processed by the BT Group Company, in particular when the Personal

Data is incomplete or inaccurate;

6.1.3 object, at any time on compelling legitimate grounds relating to their particular situation, to the processing of their Personal Data, unless that processing is required by Applicable Law. Where the objection is justified,

8

the relevant BT Group Company will make sure that it stops the

processing that is of concern; and/or

6.1.4 object, on request and free of charge, to the processing of their Personal Data for the purposes of direct marketing.

6.2 In the event that an Individual makes a request for their Personal Data in accordance with paragraph 6.1.1 above the relevant BT Group Company will respond to any such request and provide the requested information (unless it is permitted by Applicable Law to refuse the request, or to comply only in part with the request, or in the case of Third Party Personal Data, unless otherwise agreed with the third party Data Controller) within the timescales set by Applicable Law. All requests for access to Personal Data should be sent to the Individual’s regular contact point at the relevant BT Group Company, or alternatively addressed to:

The Chief Privacy Office Box 26, BT Centre 81 Newgate Street London, EC1A 7AJ

6.3 Each BT Group Company will make sure that no evaluation or decision about an Individual which significantly affects that Individual will be based only on the

automated processing of their Personal Data unless the evaluation or decision:

6.3.1 is taken during the entering into or performance of a contract, at the request of the Individual or where there are suitable measures to safeguard the Individual’s legitimate interests (including arrangements

allowing him or her to put forward his or her point of view), or

6.3.2 is allowed by Applicable Law which also contains measures to protect the

Individual’s legitimate interests.

6.4 Each Data Processor and Sub-Processor will, in respect of Third Party Personal Data:

6.4.1 introduce any necessary measures at the third party Data Controller’s reasonable request and, where relevant, communicate useful information of which it is aware to help the third party Data Controller to comply with the duty to respect the rights of Individuals as set out in Articles 12, 14 and 15 of the Data Protection Directive; and

6.4.2 send to the third party Data Controller any Individual request without

answering it, unless authorised to do so.

7. Security and Confidentiality

7.1 All BT Group Companies will take appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of Personal Data over a network, and

9

against all other unlawful forms of processing (including taking steps to ensure the

reliability to employees who have access to Personal Data).

7.2 Taking into account technological developments and the cost of their implementation, the measures that will be put in place will ensure a level of security appropriate to the risks associated with the processing and the nature of

the information to be processed.

7.3 In relation to the processing of Third Party Personal Data, each Data Processor and Sub-Processor will: (i) implement security and organisational measures that as a minimum meet the requirements of the Applicable Laws of the third party Data Controller and also meet any particular measures specified in the relevant Data Processing Agreement; and (ii) inform the third party Data Controller of any relevant Third Party Personal Data security breach without delay.

7.4 The specific security and organisational measures that will be implemented in order

to protect Personal Data are set out in Appendix 4 to these Rules.

8. Internal Processing of Personal Data

8.1 Each Data Processor will follow the instructions of, and be bound by, the relevant

Data Controller entity in relation to the processing of Personal Data.

8.2 Each Data Processor will be entitled to sub-contract the processing of Personal Data to a Sub-Processor, provided that, in the case of Third Party Personal Data, the third party Data Controller has provided its prior written consent to this and has been supplied with information as to: (i) the identity of the Sub-Processor; (ii) the country or countries in which the Third Party Personal Data will be processed; and (iii) the security measures and guarantees that will be in place, including in respect of transfers outside of the EEA to non-Approved Countries and at the third party Data Controller’s request, copies of any relevant Sub-Processing Agreements (although where these Rules apply Sub-Processing Agreements are not required for the appointment of internal Sub-Processors), provided that confidential and/or

commercially sensitive material may be removed or redacted prior to disclosure.

8.3 The prior written consent of the third party Data Controller, as referred to in paragraph 8.2 above, may be provided as a general consent for all sub-processing activities in respect of the relevant Third Party Personal Data, or on a case by case basis. If a general consent is provided, then the relevant Data Processor will keep the third party Data Controller informed of any changes concerning the addition or replacement of Sub-Processors as soon as practicable, so that the third party Data Controller can object to the change and provided that the objection cannot be remedied, terminate the Third Party Personal Data processing arrangement, subject to the terms and conditions of the relevant Data Processing Agreement,

before Third Party Personal Data is passed to the relevant Sub-Processor.

10

9. External Processing of Personal Data

9.1 A BT Group Company may only transfer Personal Data to an external data

processor in accordance with the requirements and instructions of BT Plc.

9.2 Where a BT Group Company acting as a Data Controller uses an external data processor to process Personal Data the BT Group Company will:

9.2.1 make sure that the data processor provides sufficient guarantees that there are appropriate security and operational measures governing the

processing of the Personal Data;

9.2.2 make sure that the data processor continues to comply with those

guarantees; and

9.2.3 enter into a written contract with the data processor which will require the data processor to only act on the Data Controller’s instructions and implement and comply with appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of

data over a network, and against all other unlawful forms of processing.

9.3 Where a BT Group Company, acting as a Data Controller, transfers Personal Data to an external third party data processor based outside of the EEA and not in an Approved Country, in addition to the obligations set out in paragraph 9.2.1 and 9.2.2 above the BT Group Company will comply with the rules on the transfer of Personal Data to third countries (as set out in Articles 25 to 26 of the Data Protection Directive) by entering into the Controller to Processor Model Clauses with the data processor in advance of the transfer. When the Controller to Processor Model Clauses are used, this will satisfy the requirement for a written contract as set out in paragraph 9.2.3 above.

9.4 Where a BT Group Company, acting as a Data Controller, transfers Personal Data to an external data controller based outside of the EEA and not in an Approved Country, the BT Group Company will comply with the rules on transfer of Personal Data to third countries (as set out in articles 25 to 26 of the Data Protection Directive) by entering into the Controller to Controller Model Clauses with the

external data controller.

9.5 A Data Processor will only be entitled to use an external sub-processor to process Third Party Personal Data: (i) with the written consent of the third party Data Controller; (ii) provided that the equivalent information as set out in paragraph 8.2 is provided to the Data Controller; and (ii) in the case of transfers outside of the EEA and not to an Approved Country, where it has been established that the third country will provide adequate protection for the Third Party Personal Data, in accordance with Articles 25 and 26 of the Data Protection Directive. The Data Processor will also be required to enter into a written Sub-Processing Agreement

11

with the external sub-processor under which the external sub-processor must

agree to:

9.5.1 implement and comply with appropriate technical and organisational measures to protect the Third Party Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms

of processing;

9.5.2 only act on the third party Data Controller’s instructions (unless otherwise

required to do so by law); and

9.5.3 respect the same obligations applicable to the Data Processor in the relevant Data Processing Agreement and paragraphs 4.4, 6.4, 7.3, 14.2-14.7, 14.7, 14.8 and 15 of these Rules.

10. Assurance and Audit

10.1 BT’s internal audit function is comprised of three lines of monitoring and audit as

follows:

10.1.1 First Line of Monitoring and Audit (Business Frontline): these are the controls that are in place within each BT Group Company in connection with its day-to-day business such as written policies, operational procedures, risk identification and self-assessment. Controls are designed into systems and processes and operational management is responsible for compliance.

10.1.2 Second Line of Monitoring and Audit (Compliance Function): these are the functions and executive committees that are in place to provide oversight of the effective operation of the business frontline including defining policies and guidance. Functions include group-wide teams in human resources, finance, security, IT, revenue assurance, legal and regulatory, regulatory compliance and the central Sarbanes-Oxley team. These functions are responsible for reviewing the management of risks at group, line of business and business unit level. Each function reports upon their work undertaken and significant findings to the appropriate executive risk oversight committees including: the operating committee; line of business audit committees; health and safety, security, global sourcing, ethics, data protection (which includes compliance with these Rules), corporate social responsibility and global sourcing committees; and the group risk panel. These functions may also report to BT Plc board’s audit committee/risk committee as described in relation to the “Third Line of Monitoring and Audit” below. The regulatory compliance function carries out risk based annual reviews of compliance with these Rules and reports its findings to the board appointed executive and oversight sub-committees including: (i) the data governance risks and

12

assurance group, (ii) the business specific audit and risk committee, (iii) the group compliance panel; and (iv) the regional governance committees.

10.1.3 Third Line of Monitoring and Audit (Internal Audit): this is the independent assurance provided by the BT Plc board audit and risk committee and the internal audit function that reports to that committee. Internal audit undertakes a programme of risk and compliance based audits covering all aspects of both the first and second lines of monitoring and audit, including in relation to compliance with these Rules. The findings from these audits are reported to all four lines of monitoring and audit: operational management; the executive and oversight sub-committees including: (i) the data governance risks and assurance group, (ii) the business specific audit and risk committee, (iii) the group compliance panel, (iv) the regional governance committees; and the BT

Plc board audit and risk committee.

10.2 Corrective actions are taken by the appropriate persons where a need for this is identified by reviews or audits carried out pursuant to paragraphs 10.1.1 to 10.1.3 above.

10.3 Subject to paragraph 10.7 below, summaries of the reviews described in paragraph 10.1.2 in relation to processing activities carried out in respect of Third Party Personal Data by Data Processors will be made accessible to the relevant third party Data Controller upon its reasonable request, subject to and in accordance

with the terms and conditions of the relevant Data Processing Agreement.

10.4 Subject to paragraph 10.7 below, a Data Processor and Sub-Processor will accept, at the reasonable request of the relevant third party Data Controller, to submit their Personal Data processing facilities for audit of those processing activities relating to the Third Party Personal Data of that Data Controller. The audit will be: (i) carried out by the Data Controller or independent and professionally qualified auditors selected by the Data Controller (where applicable in agreement with the relevant data protection authority); (ii) at the Data Controller’s sole expense; (iii) subject to the Data Processor and/or Sub-Processor’s confidentiality requirements; and (iv) carried out without unreasonable disruption to the relevant Data Processor and/or Sub-Processor.

10.5 Subject to paragraph 10.7 below, a BT Group Company will communicate the outcome of any review or audit in its jurisdiction or in relation to Personal Data exported from the EEA to that jurisdiction that is carried out under paragraphs 10.1.2 or 10.1.3, to the local data protection authority in that jurisdiction upon request from that local data protection authority.

10.6 Subject to paragraph 10.7 below, a BT Group Company will allow its local data protection authority to audit that BT Group Company in order to gather the information necessary to demonstrate the BT Group Company’s compliance with these Rules.

13

10.7 BT Group Companies will only share information with, and permit audits by: (i) their local data protection authority; or (ii) the relevant third party Data Controller, to the extent strictly required by this paragraph 10 and provided that: (i) the information relates only to compliance with these Rules; (ii) the information does not contain any commercially sensitive information relating to or owned by any BT Group Company, or any of their respective clients; (iii) the information does not contain any confidential information relating to or owned by a third party; (iv) the information is not subject to the law of privilege; and (v) disclosure of the

information would not be in conflict with any Applicable Law.

11. Compliance Structure

11.1 BT’s compliance structure is comprised of a Chief Privacy Officer and a network of data protection officers and security professionals (together the “Chief Privacy

Office”) who operate across all BT Group Companies.

11.2 The Chief Privacy Officer’s role is to advise the BT group board of directors, deal with data protection authorities’ investigations, report annually on compliance with these Rules and oversee and ensure compliance with these Rules at a global level.

11.3 The Chief Privacy Office, with support from relevant BT Personnel is responsible for handling complaints from Individuals in all jurisdictions, reporting major privacy

issues to the Chief Privacy Officer and for ensuring compliance at a local level.

12. Conflicts

12.1 In the event that any person within a BT Group Company has reasons to believe that Applicable Laws may prevent any BT Group Company from fulfilling its obligations under these Rules and have a substantial adverse effect on how these Rules work that person is required to promptly notify the Chief Privacy Officer on the following contact details: The Chief Privacy Officer Box 26, BT Centre 81 Newgate Street

London, EC1A 7AJ

Complaint.review.legal.support@bt.com unless they are not permitted to do so, such as where there is a criminal investigation and the confidentiality of the investigation needs to be preserved. The Chief Privacy Officer will then take a responsible decision on what action to take and will consult the relevant data protection authorities, if there is any doubt.

12.2 In the event that a Data Processor or Sub-Processor has reason to believe that existing or future Applicable Law may prevent it from fulfilling the instructions received from the third party Data Controller in relation to Third Party Personal Data, or its obligations under these Rules or the relevant Data Processing Agreement, it will promptly notify this to:

14

12.2.1 the third party Data Controller, which provided that the notification concerns a genuine conflict that cannot be remedied, may be entitled to suspend the relevant data transfer and/or terminate the relevant Data Processing Agreement, subject to the terms of the relevant Data

Processing Agreement; and

12.2.2 the relevant Data Processor or Sub-Processor’s privacy officer/function; and

12.2.3 the data protection authority governing the third party Data Controller’s

processing activities.

12.3 The Data Processor or Sub-Processor will communicate any legally binding request for disclosure of Third Party Personal Data by a law enforcement authority to the relevant third party Data Controller unless otherwise prohibited, such as due to a prohibition under criminal law in order to preserve the confidentiality of a law enforcement investigation. In any case, the request for disclosure should be put on hold and the data protection authority referred to in paragraph 12.2.3 above and the lead data protection authority for these Rules should be clearly informed about

it.

12.4 Any transfers of Personal Data to a law enforcement authority must be based on legal grounds according to Applicable Law. In the case of a conflict of laws, it may be necessary to refer to the applicable international treaties and agreements.

12.5 In the event that any Applicable Law imposes a higher level of protection for Personal Data that that described in these Rules, then the relevant Applicable Law

will take precedence over these Rules in respect of the point of conflict only.

12.6 No BT Group Company will be responsible for any breach of these Rules, if and to

the extent that compliance with these Rules is prevented by an Applicable Law.

13. Complaints

13.1 If an Individual would like to make a complaint in relation to these Rules, he or she can contact us using the contact details below and providing full details of the

issue:

Residential customers: Customer Service Manager BT Customer Correspondence Centre Providence Row Durham DH98 1BT

Telephone: 0800 800 150

Small business customers: BT Business Accounts Providence Row

15

Durham DH98 1BT Telephone (sales/services): 0800 800 152 Telephone (billing): 0845 600 6156 Telephone (faults): 0800 800 154

Procedure for where a BT Group Company is the Data Controller

13.2 The relevant contact set out in paragraph 13.1 above will:

13.2.1 liaise with all relevant internal departments and external businesses and

people to deal with the complaint;

13.2.2 acknowledge receipt of the complaint as soon as reasonably practicable,

and no later than 5 working days after receiving it;

13.2.3 respond substantively to the complaint within 10 working days after acknowledging receipt of it, although if the complaint is particularly

complex the response may take up to 30 working days;

13.2.4 use reasonable endeavours to acknowledge receipt of the complaint and respond substantively to it promptly for matters which are urgent, provided that the Individual making the complaint has made it clear that

the matter is urgent, and

13.2.5 have an appropriate level of independence in the exercise of its functions.

13.3 If the complaint is rejected, the Individual will be told of this as soon as reasonably practicable after the decision has been made, and in any event within 10 working

days.

13.4 If the complaint is justified, the Individual will be told of this as soon as reasonably practicable after the decision has been made. The relevant contact set out in paragraph 13.1 above will make sure that any corrective actions are taken to deal

with the matters raised in the complaint.

13.5 Individuals are also entitled to make a complaint to their local data protection authority or a relevant court instead of and/or in addition to using the internal

complaints procedure set out in this paragraph 13.

Procedure for where the BT Group Company is a Data Processor

13.6 Where any Data Processor or Sub-Processor receives a complaint from an Individual in relation to Third Party Personal Data the Data Processor or Sub-Processor will forward the complaint or request to the relevant third party Data Controller without delay and without obligation to handle it (unless otherwise

agreed with the third party Data Controller).

16

13.7 In the event that the relevant third party Data Controller disappears factually, ceases to exist in law or becomes insolvent the complaint or request from the Individual will be dealt with in accordance with the procedure set out in paragraphs

13.2 to 13.5 above.

14. Third Party Beneficiary Rights and Liability

Rights and liabilities applicable where a BT Group Company is a Data Controller

14.1 In the event that an EEA based Individual suffers damage as a direct result of a breach of these Rules by a BT Group Company then, subject to the limitation of liability provisions set out in paragraph 14.14 and 14.15 below, the EEA based Individual is entitled to bring a claim for remediation of the relevant breach (where the breach is remediable) and/or compensation as a third party beneficiary against

the BT Group Company that is responsible for the breach before:

14.1.1 the courts of the relevant EEA based BT Group Company that is at the origin of the transfer of Personal Data outside of the EEA; or

14.1.2 the courts of the relevant non-EEA based BT Group Company;

14.1.3 any data protection authority that is able to exert jurisdiction over the

claim.

Rights and Liabilities applicable where a BT Group Company is a Data Processor

14.2 Any EEA based Individual who has suffered damage as a result of any breach of paragraphs 1.4(iii), 1.5, 3.3, 4.4, 5.1, 7.3, 12.2, 13, 14.2-14.6, 14.9-14.12, 15.3 and 15.4 of these Rules by a Data Processor in respect of Third Party Personal Data is, subject to paragraphs 14.14 and 14.15, entitled to bring a claim for remediation of the relevant breach (where the breach is remediable) and/or compensation as a third party beneficiary from the third party Data Controller for the damage suffered.

14.3 If an EEA based Individual is not able to bring a claim in accordance with paragraph 14.3 against the third party Data Controller arising out of a breach by a Data Processor in respect of Third Party Personal Data because the third party Data Controller has factually disappeared or ceased to exist in law or has become insolvent, the EEA based Individual may issue a claim against the relevant Data Processor as if it were the third party Data Controller, unless any successor entity has assumed the entire legal obligations of the third party Data Controller by contract or by operation of law, in which case the EEA based individual can enforce

its rights against such entity.

14.4 The Data Processor of Third Party Personal Data may not rely on a breach by a relevant Sub-Processor or external sub-processor of its obligations in order to avoid

its own liabilities.

17

14.5 If an EEA based Individual is not able to bring a claim against the third party Data Controller or the relevant Data Processor arising out of a breach by any Sub-Processor of paragraphs 1.4(iii), 1.5, 3.3, 4.4, 5.1, 7.3, 12.2, 13, 14.2-14.6, 14.9-14.12, 15.3 and 15.4 in respect of Third Party Personal Data because both the relevant third party Data Controller and the Data Processor have factually disappeared or ceased to exist in law or have become insolvent, the EEA based Individual may, subject to paragraphs 14.14 and 14.15, issue a claim against the relevant Sub-Processor as if it were the third party Data Controller or the Data Processor, unless any successor entity has assumed the entire legal obligations of the relevant third party Data Controller or Data Processor by contract or by operation of law, in which case the EEA based Individual can enforce its rights against such entity. The liability of the relevant Sub-Processor shall be limited to its own processing operations.

14.6 The relevant jurisdiction for the claim shall be:

14.6.1 the courts of the third party Data Controller; or

14.6.2 the courts of the relevant Data Processor; or

14.6.3 the courts of the relevant Sub-Processor; or

14.6.4 any data protection authority that is able to exert jurisdiction over the

claim,

and the EEA based Individual must agree to submit to the exclusive jurisdiction of

the jurisdiction where the claim is made.

14.7 These Rules are either incorporated by reference (including a link to enable electronic access to these Rules) into the relevant Data Processing Agreement(s) or annexed to the relevant Data Processing Agreement(s), and each third party Data Controller has the right, subject to paragraphs 14.14 and 14.15, to bring a claim for remediation (where remediation is possible) and/or compensation for damage suffered in respect of any breach in relation to Third Party Personal Data of:

14.7.1 these Rules, against any Data Processor acting on the third party Data Controller’s behalf in the event of any breach of these Rules caused

directly by that Data Processor; or

14.7.2 these Rules or the relevant Data Processing Agreement, against any Data Processor acting on the third party Data Controller’s behalf in the event of any breach of these Rules or the relevant Data Processing Agreement caused directly by a Sub-Processor acting on behalf of that Data Processor; or

14.7.3 any relevant Sub-Processing Agreement against any Data Processor acting on that Data Controller’s behalf in the event of a breach of the Sub-Processing Agreement by an external non-EEA based sub-processor

appointed under that Sub-Processing Agreement.

18

14.8 The relevant jurisdiction for the claim shall be:

14.8.1 the courts of the third party Data Controller; or

14.8.2 the courts of the relevant Data Processor; or

14.8.3 any data protection authority that is able to exert jurisdiction over the

claim,

and the third party Data Controller must agree to submit to the exclusive jurisdiction of the jurisdiction where the claim is made.

Burden of Proof

14.9 Subject to paragraphs 14.14 and 14.15 below each BT Group Company acknowledges that: in the event that an EEA based Individual or third party Data Controller can establish facts which show that it is likely that he/she/it has suffered damages and is entitled to make a claim under this paragraph 14 the burden of proof rests with any BT Group Company that the EEA based Individual or third party Data Controller is entitled to claim against (as set out in this paragraph 14) (the “Responsible BT Group Company”) to demonstrate that the BT Group Company or the external sub-processor that is alleged to have caused the breach is not liable for the breach resulting in the damages claimed by the EEA based Individual or third

party Data Controller.

14.10 In the event that a Responsible BT Group Company can prove that a relevant BT Group Company or external sub-processor is not liable for the alleged breach, then the Responsible BT Group Company and the BT Group Company and/or external sub-processor alleged to have committed the breach may discharge themselves from any responsibility in connection with any claim made by an EEA based Individual or third party Data Controller on the basis of that alleged breach.

14.11 A BT Group Company or external sub-processor shall not be considered to have breached these Rules, a relevant Data Processing Agreement or any relevant Sub-Processing Agreement (as applicable) if it has achieved the standard of care that is appropriate in the circumstances and/or acted (or omitted to act) in accordance

with Applicable Law.

14.12 If it is held that a BT Group Company or external sub-processor has breached these Rules, a relevant Data Processing Agreement or any relevant Sub-Processing Agreement (as applicable) it will be the responsibility of the person who brought the claim to prove that he or she suffered damage as a result of such a breach and

to prove the amount of the damage.

Limitation of liability

14.13 The submission by any BT Group Company to a jurisdiction in respect of a claim relating to a breach of these Rules shall not constitute submission to that

19

jurisdiction, in respect of any claims that do not relate to compliance by a BT Group

Company with these Rules or for any other purpose whatsoever.

14.14 To the maximum extent permitted by Applicable Laws, no BT Group Company shall be liable for:

14.14.1 punitive or exemplary damages (i.e. damages intended to punish a party

for its conduct, rather than to compensate the victim of such conduct); or

14.14.2 indirect loss, consequential loss or special damages, howsoever caused.

14.15 In any event, a BT Group Company will only be liable for damages which have been:

14.15.1 agreed by the relevant BT Group Company under a signed settlement or

compromise agreement with the relevant person; or

14.15.2 awarded against a BT Group Company by a judgment that cannot be appealed or under a court order, or by any other legal award made by a court or tribunal with valid jurisdiction.

15. Cooperation with Data Protection Authorities

15.1 All BT Group Companies co-operate and help one another to deal with any:

15.1.1 request by an Individual, including for a copy of their Personal Data;

15.1.2 complaint by an Individual, or

15.1.3 inquiry or investigation by the relevant data protection authorities.

15.2 Each BT Group Company will respect and comply with any advice given by the relevant data protection authorities on any issues regarding the interpretation of

these Rules.

15.3 Each Data Processor or Sub-Processor will: (i) accept that its Third Party Personal Data processing facilities in respect of processing activities carried out on behalf of a third party Data Controller, may be audited by the data protection authority competent for that Data Controller; and (ii) respect and comply with any advice given by the that data protection authority on any issues regarding the interpretation of these Rules.

15.4 Each Data Processor or Sub-Processor will, in respect of Third Party Personal Data cooperate and assist the relevant third party Data Controller to comply with applicable data protection laws to the extent reasonably possible and within a reasonable timeframe.

16. Updates to these Rules

16.1 From time to time, it may be necessary to change these Rules or add to them. In

particular, this may be because of a change:

20

16.1.1 in Applicable Law; or

16.1.2 to the structure of our group of companies.

16.2 If the Rules are changed or added to substantively, BT Plc will report such changes

or additions to:

16.2.1 all BT Group Companies;

16.2.2 the relevant data protection authorities;

16.2.3 relevant Individuals; and

16.2.4 in the case of substantive changes or additions affecting processing activities carried out by BT Group Companies on behalf of third party Data Controllers, the relevant third party Data Controller.

16.3 Where paragraph 16.2.4 applies and the change or addition will have a material impact on the conditions under which Third Party Personal Data is processed for the third party Data Controller, for example a change in Sub-Processors or external sub-processors, BT will notify the relevant third party Data Controller(s) as soon as practicable in order to enable the third party Data Controller(s) to object to the change or addition and provided that the objection cannot be remedied, the third party Data Controller(s) may be entitled to change or terminate the relevant Data Processing Agreement, subject to the terms and conditions of the relevant Data Processing Agreement, in advance of implementation of the proposed change or addition.

16.4 Some changes or additions (particularly those which significantly affect data protection compliance) may need to be authorised by the data protection

authorities,

16.5 Appendix 5 of these Rules contains a revision history that sets out information about changes made to these Rules, including the date of the change and a summary of the change.

This document has been executed as a deed and is delivered and takes effect on

the date stated at the beginning of it.